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ABSTRACT 


Layer of Protection Analysis (LOPA), a semi quantitative Process Hazard Analysis (PHA) is found to be 
the effective tool in hazard evaluation and risk assessment. It is found to be the potential semi quantitative 
tool for statutory compliance purposes in UK and effective Process Safety Management tool satisfying 
OSHA requirements in USA. It is a simple tool and identifies the safeguards to be considered for risk 
assessment and risk reduction. Details of the technique with examples are given in this article. 


INTRODUCTION 


Process Hazard Analysis utilizes various tools viz Check lists, Hazard and Operability study, Failure Mode 
and Effect Analysis, Fault Tree Analysis, Event Tree Analysis to identify the Hazards involved in the 
chemical operations. While some of them like such as HAZOP and What-if are qualitative, others such as 
Fault Trees and Event Trees are quantitative. Layer of Protection Analysis (LOPA) is the newest 
methodology for hazard evaluation and risk assessment. The LOPA methodology lies between the 
qualitative end of the scale and the quantitative end. It provides a method for evaluating the risk of hazard 
scenarios and comparing it with risk tolerance criteria to decide if existing safeguards are adequate and if 
additional safeguards are needed. Some people view LOPA as an extension of Process Hazard Analysis 
because it is applied on the data developed by PHA like HAZOP. This article attempts to introduce this 
technique which is widely used by all process industries in all developed countries. 


ORIGIN AND CONCEPT OF LOPA 


The LOPA method was originally developed in the context of defining Safety Integrity Levels (SILs) for 
electrical/electronic/programmable electronic safety related systems. Use of LOPA is consistent with the 
requirements of standards such as ANSI/ISA-84.01-1996 (Application of Safety Instrumented Systems for 
the Process Industries) and IEC 61508 (Functional Safety of Electrical/Electronic/Programmable 
Electronic Safety Related Systems). Subsequently LOPA has found more widespread use as a risk 
assessment technique. 


It is a simplified risk assessment method. LOPA is applied when a scenario is too complex or the 
consequence is too severe for the HAZOP team to make a sound judgment based solely upon the 
qualitative information. On the other hand, it can screen scenarios as a precedent to a QRA. LOPA helps 
organizations to make consistent decisions on the adequacy of the existing or proposed layer of protection 
against an accident scenario. 


This method utilizes the hazardous events, event severity, initiating causes and initiating likelihood data 


developed during HAZOP. It evaluates risks by orders of magnitude of the selected accident scenarios 
and builds on the information developed in qualitative hazard evaluation e.g. PHA. 
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LOPA helps the user to determine the risks associated with the various hazardous events by utilizing their 
severity and the likelihood of the events being initiated. The risk reduction measures employed by the 
industry concerned such as process design are estimated and credit is given for such measures while 
estimating the severity and likelihood. The industry can set their corporate risk standard or follow the risk 
acceptability levels specified by the local governments. If the risk levels are not with in the acceptable 
limits additional risk reduction measures by means of Basic Process Control System (BPCS), alarms, 
human intervention, Safety Instrumented Function etc. can be employed. 


LOPA PROCESS 


LOPA is based on the assessment of single event- consequence scenarios. A scenario consists of an 
initiating event and a consequence. Though multiple initiating events can lead to same consequence, all 
these initiating events must be used to develop scenarios for subsequent assessment. A typical LOPA 
scenario chain is indicated as figure 1 for understanding: 
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Fig 1: LOPA scenario 


Let us discuss the various terminologies used in the above chain with the help of an example for easy 
understanding: 


Event - Initiating and Enabling 


An event is an occurrence to an accident scenario. The initiating event is the event that starts the chain of 
events leading to the undesired consequence. An enabling event or enabling condition is an event or 
condition that is required for the initiating event to unleash a scenario. Enabling events are neither failures 
nor protection layers. They are expressed as probabilities. For example fire due to release of LPG gas 
from a cylinder can be considered as an event. In this case LPG leak from the cylinder can be the 
initiating event. Presence of Ignition source in the area can be the enabling condition. Initiating events 
could be external events like earthquake, wind storm, flood, etc., failures of equipment like rupture or leak 
of vessel, pipeline etc. or human failures. 


Cause 


Condition or state resulting from the events that allowed the Loss Of Containment to occur. The faulty 
valve is the cause of LPG leak. 
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Loss of Containment (LOC) 


Loss of containment is defined as the top event in a scenario that one aims to prevent from occurring. 
Ignition of LPG vapor- air cloud is the loss of containment. 


Consequence 


The consequence or effect is defined as the undesired outcome of an accident scenario. Consequences 
are expressed in terms of material damage, environmental pollution, injuries, fatalities etc. In our example 
both the material damage and injury due to LPG fire are the consequences. 


Independent Protective Layers (IPL) 


After having discussed all the important terminology in the chain, it is important to understand the vertical 
lines shown at every stage of LOPA scenario. Independent Protective Layers are devices, systems, or 
actions that are capable of preventing a scenario from proceeding to an undesired consequence and all 
these layers are independent from one another so that any one failure of the layer will not affect the 
functioning of the other layers. The layers can be either preventive in nature by avoiding an occurrence of 
the scenario or mitigating by minimizing the effects of consequences. Examples for preventive 
independent protective layers are inherently safe design features, physical protection such as relief 
devices, Safety Instrumented Systems etc. Post release physical protection like fire protection systems, 
plant and community emergency response etc can be considered as mitigating protective layers. 
Provision of valve cap on the cylinder can be one of the Independent Protective Layer. 


There are different opinions on which should be considered as IPL. Some literatures suggest or require 
that the training, certification, normal testing and inspection, existence of standard operating procedures, 
routine maintenance, communications, signs, etc., as well as OSHA’s Process Safety Management 
Standard and EPA’s Risk Management Programme should address human factors. 
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METHODOLOGY 
The analytical LOPA method consists of a number of steps viz establishing a consequence criteria, 


identification of accident scenarios and their frequency of occurrence, identification of IPLs, estimation of 
risk and review of existing risk control measures based on the acceptance criteria. (Refer figure 2) 
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SCREENING CRITERIA 
DEVELOP ACCIDENT 
SCENARIOS 
FIRST SCENARIO 


IDENTIFY INITIATING 
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Fig 2: Steps involved in LOPA process 
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CRITERIA FOR EVALUATION 


The crucial step of LOPA is evaluation process for which criteria need to be selected. Three criteria are 
considered for LOPA study: 


e Consequence class characteristics, 
e Likelihood estimation and 
e Tolerance limits fixed by local legislations. 


Consequence class 


Consequence class characteristics are classified in different ways from three levels to five levels as 
chosen by the study team members. The basis for classification depends on local regulations and 
corporate safety and environment philosophy. Consequences are measured in terms of damage to 
people, property and environment. The extent of damage can be predicted by means of experimental 
values or simulated values available for the chemicals. The advantage of LOPA technique lies in the fact 
that it can be used even if no software simulation is available for quantification of consequences. To 
reduce the subjectivity, the guidelines for estimation of consequences have been developed by some 
experts based on the quantity of chemicals involved in the scenario. The guidelines suggested by Colin 
S. ‘Chip’ Howat Ph.D. are widely accepted for estimation purposes. (Refer table 1) 
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Table 1: Guidelines on 


Consequence Size 


Release 
Characteristic 


10- to 100- 
pound Release 


1- to 10- 
pound Release 


Extremely toxic, 
above B.P.* 


Extremely toxic, below B.P. 
or 
Highly toxic, above B.P, 


Highly toxic, below B.P. 
or 
Flammable, above B.P. 


Combustible liquid Category 1 


*B.P. = atmospheric bolling point 


Consequence Category 


Spared or 
Consequence Nonessential Plant Outage 
Characteristic Equipment <4 Month 


Mechanical damage to large 
main product plant 


Category 2 


$10,000 - $100,000 


Category 2 


$0 - $10,000 
Category 1 


Mechanical damage to small 
by-product plant 


Consequence Cost 
(U.S. dollars) 


Consequence 
Characteristic 


Overall cost of event 
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Category 3 Category 4 Category 5 Category 5 


Category 2 Category 3 Category 4 Category 5 


Flammable, below B.P. Category 1 Category 2 Category 2 Category 3 Category 4 


Category 2 
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consequence estimation 


100- to 1,000- 
pound Release 


1,000- to 10,000- 
pound Release 


10,000- to 100,000- 
pound Release 


Category 5 
Category 5 


>100,000- 
pound Release 


Category 5 


Category 5 
Category 5 


Category 5 
Category 3 


Vessel Rupture 


Category 1 Category 2 Category 2 


Vessel Rupture 
3,000 to 10,000 gal >10,000 gal 
100 to 300 psig >300 psig 


Category 4 Category 5 


> $10,000,000 ` 
Category 5 ` 


Plant Outage Plant Outage 
1 to 3 Months >3 Months 


Ta ' 
Category 4 


$1,000,000 = 
$10,000,000 


Category 3 


$100,000 = 
$1,000,000 


Category 3 


Category 4 
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It may be noted that categories can be defined in terms of financial loss as shown in table 1. However the 
values stated in the table may vary based on the size and financial risk tolerance limits chosen by the 
organization. The category referred in the table 1 is defined in terms of effects on plant personnel, 
community and environment as shown in table 2. 


Table 2: Definition of categories of consequence 


Consequence Plant personnel | Community Environment 
class 
1/2 No lost time No hazard No notification 
3. Single injury Odour / noise Permit violation 
4. > 1 injury One or more | Serious offsite 
injuries impact 
5; Fatality One or more | Serious offsite 
severe injuries impact 


Likelihood Estimation 


The frequency of initiating event is based on the past industry data, company experience or incident 
histories. If no data available, estimation can be made based on the subjective assessment of expert 
team. Some of the data used by the industry for various events have been published in the literature. 
Table 3 gives the frequency details for few initiating events. 
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Table 3: Sample frequency table for few initiating events 


eee 


. Example of a Value 
Frequency Range from | Chosen by a Company for 
Literature (yr) Use in LOPA (lyr) 
ae ee 
ha E a = E — a ° a eee ee 


Aimospheric Tank Failure 10° to 104 
Gasket/Packing Blowout 107 to 10% 


Turbine/Diesel Engine Overspeed with Casing 107 10 10% 

Breach s 

Third-party Intervention {extemal impact by 107 to 104 1x10? 
backhoe, vehicle, etc.) 


ara 


e «|| 


Lightning Strike 


St vor ps Sy ca 
cig Far ECCE 


Pump Seal Failure 


Unleading/Loading Hose Failure 
BPCS Instrument Loop Failure 


1 to 107 


Regulator Failure 1 to 10° 


Small External Fire (aggregate causes) | 10%to107 | 
Large Extemal Fire (aggregate causes) 1x10? 


Operator Failure (to execute a complete, routine 10? to 10°/Opportunity ix10°/Opportunity 


procedure: well4rained operator, unstressed, not 
fatiqued) 

The logarithmic frequency of failure can be explained analytically as stated in table 4 for simple 

understanding. 


Table 4: Relation between likelihood and log frequency 


Likelihood Log frequency (/ yr) 
Well probable, frequent 0-1 
Occasional 1-2 
Remote 2-3 
Improbable 3-4 
Nearly impossible 4-5 
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Total risk level can be estimated in terms of severity and probability and can be presented as shown 
below: 


Location Equipment 
Sl. Initiating | Probabilit | Enabling | Probability | Protective Mitigati_ | Consequence 
No. event y Per year | Event Per year Independent ng 
(IE) fie (EE) fee Protective IPL 
Layers (IPL) PFD 
Probable 
Failure on Class | Frequency 
demand 
(PFD) 
Fy F2 P| P| P| P] P | P6 F1XF2XP1x 
1| 2| 3) 45 P2xP3xP4X 
P5X P6 


After identifying the class and frequency, the results of each envisaged scenario should be compared with 
the tolerance limits selected by the organizations based on the local regulations or voluntary corporate 
standards. As statutes in India do not specify acceptable risk limits in statutes explicitly the standards 
adopted by HSE, UK or Netherlands Government can be followed as reference guidelines. 


The risk is estimated and expressed in two different forms: individual risk and societal risk. The individual 
risk is defined as the chance that a person staying at a fixed location permanently is killed as a result of an 
accident in the hazard zone (units / year). The societal risk follows a chance that in a single accident in the 
hazard source a certain number of victims is exceeded. For individual risk, the limit is 10 7° per year and 
for societal risks are set at f= 10 °/N’asa guideline where N is the number of casualties present in the 
damage contours. The table no.5 gives a reference tolerance risk criteria adopted by a company handling 
Ammonium Nitrate based on the statute in The Netherlands. 


Table 5: Risk tolerance criteria 


Frequency of | Consequence Category 

consequence 

(/yr) Category 1 | Category 2 | Category3 | Category4 | Category 5 
107-107 

107-107 

10 7-107 

107-107 

107-10” 

10 -107 

10 7-107 
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Box item 1 explains how LOPA can be used for a scenario of chlorine leak due to fire in the nearby 
vicinity. 
Box item 1 


Example by using LOPA 

Scenario: A simple single event consequence scenario of fire in chlorine tonner storage 

Details: A fire occurs in a chlorine tonner storage area (initiating event). The fire causes an 
explosion of the chlorine tonner (enabling condition). The subsequent release of chlorine liquid/ 
gas may result in chlorine gas dispersion. The dispersion causes one fatality and injuries to 50 
people in the vicinity. 


Fire in the 
Chlorine 


Tonner Storage 


Chlorine 1 fatality 
dispersion into 50 severely 
the atmosphere affected 


Explosion of 
Chlorine 
Tonner 


The initiating event frequency (fire) is estimated as once every 100 years (0.01). The explosion of 
chlorine tonner is the enabling condition. The nearby presence and explosion of chlorine tonner is 
estimated as one out of ten times (0.1). Hence overall frequency for the scenario to occur is one 
in 1000 years. The consequence category from the scenario follows consequence class of 4. As 
per the risk tolerance table the scenario is unacceptable. 


Effect of Independent Protective Layers 

The frequency of the scenario can be changed by fire detection or a sprinkler system. Assuming 
that the detection system has the probability of failure of demand of one out of ten times the 
frequency of the scenario may get reduced from 10° to 10% per year. The strict guideline that all 
those in the hazardous area should use self contained breathing apparatus and Isolated location 
for chlorine shed can reduce the consequence. This makes the risk to come out of the 
unacceptable level. Further risk reduction measures or IPLs such as provision of chlorine 
detection cum alarm system, neutralization or scrubbing facility to take care of escaping chlorine 
gas etc can be employed. 
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BENEFITS OF USING LOPA 


LOPA has numerous advantages compared to other qualitative risk assessment tools and combines the 
advantage of qualitative and quantitative tools. Some of the advantages are summarized below: 


Is a simple risk assessment tool and requires less time and resources than for a QRA but is more 
rigorous than HAZOP. It can be used a screening tool for QRA. 

Improves scenario identification by pairing of the cause and consequence from PHA studies 
Identifies operations, practices, systems and processes that do not have adequate safeguards 
and Helps in deciding the layers of protection required for a process operations and thereby 
focuses on the most critical safety systems. It helps to determine the need for Safety 
Instrumented Systems (SIS) and Safety Integrity Levels (SIL) for SIS. It provides basis for 
specification of IPLs as per ANSI/ISA S84.01, IEC 61508 and IEC 61511. 

Can be used as a Cost Benefit Analysis tool while selecting process safety instrumentation 

Is useful for making risk based decisions during stages like design, management of change, 
preparation of Safety Operating Procedures for operators, incident investigation, emergency 
response planning, bypassing a safety system etc 

Provides due credit to all protective layers and helps in estimating the specific risk level of the unit/ 
equipment. 

Removes subjectivity while providing clarity and consistency to risk assessment and helps to 
compare risks based on a common ground if it is used throughout a plant. 

Can be used as a tool in place of Quantitative Risk Analysis for substances for which standard 
damage distances or effects are not known. In such cases it helps decide if the risk is As Low As 
Reasonably Possible (ALARP) for compliance to regulatory requirements or standards. 

It also supports compliance with process safety regulations - including OSHA PSM 1910.119, 
Seveso II regulations, ANSI/ISA $84.01, IEC 61508 and IEC 61511 


LIMITATIONS OF LOPA 


While using this technique, its limitations should also be kept in mind for deriving better results: 


Risk tolerance criteria must be established for LOPA exercise before the process starts. For 
countries where such criteria has not been specified by statutes it will be difficult to decide which 
standards are to be adopted. 

LOPA offers flexibility to the user in the areas of selecting IPLs and PFDs associated with the 
IPLs though the general industry data is available for the purpose. This brings in subjectivity in the 
assessment process and depends on the expertise of the user. 

It does not decide what specific IPLs should be used and decision depends on the experience 
and expertise of the user. 
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CONCLUSION 


Process industries prefer techniques which can assess the risk levels and can identify the suitable 
safeguards for minimizing the risk levels to satisfy the statutory requirements. Semi Quantitative methods 
are favoured by industries for their less mathematical modeling. Among the semi quantitative methods, 
following methods can also be used though they are less known: 


The Technical Risk Audit Method (TRAM) 

AVRIM2, an audit and inspection tool developed for the Dutch Labour Inspectorate 
Protection Layer Analysis and Optimization (PLANOP) 

The Short-Cut Risk Assessment Method (SCRAM) 

Safety Barrier Diagrams 


Though all of the above methods use layer of protection / line of defence concept, LOPA was found to be 
potentially the most useful for statutory purposes (Control of Major Accident Hazard Regulations 
(COMAH), 1999, UK) at the end of recent research. It is hoped that LOPA will get more prominence 
among the Indian Chemical Industries in the days to come and statutory recognition for such studies. 
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